Am 25.11.2011 22:47, schrieb da...@lang.hm: > On Fri, 25 Nov 2011, Rainer Gerhards wrote: > >>> -----Original Message----- >>> From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog- >>> boun...@lists.adiscon.com] On Behalf Of Robert Schetterer >>> >>> Hi @ll, >>> i am new to this list >>> and not very familar with rsyslog so sorry if my question was >>> asked/answered before >>> >>> i wanna goal, filtering spamhaus rbl ips from postfix mail log >>> i allready done >>> ( on suse ) >>> >>> mail.info >>> -/var/log/mail.info;RSYSLOG_TraditionalFileFormat >>> if $msg contains 'blocked using zen.spamhaus.org' then >>> /var/log/spamhaus.log;RSYSLOG_TraditionalFileFormat >>> >>> this works fine, but as i have a lot of spambots >>> fail2ban ist to slow with this allready filtered log >>> >>> so i wann have a second or combinated rsyslog rule which results >>> only in the ip >>> >>> a relevant log entry example looks like this >>> >>> postfix/postscreen[32120]: NOQUEUE: reject: RCPT from >>> [190.24.212.146]:57855: 550 5.7.1 Service unavailable; client >>> [190.24.212.146] blocked using zen.spamhaus.org; >>> from=<some...@somewhere.de>, to=<some...@somwhere.de>, proto=ESMTP, >>> helo=<MCRISTALCRE> >>> >>> the plan would be , set the ip output to i.e fifo pipe >>> and read the output via some daemon script/program to create an >>> iptables >>> ip reject rule with timestamp via ipset map, which expires auto after >>> 24 >>> h, this should fast as possible >>> >>> so anybody with an example for filtering this ? >>> >>> by the way >>> someone speculated rsyslog may able to do the whole job >>> filtering ip and do the ipset action in one step , is this true ? >>> i am not that far in the docs yet >> >> I have to admit that I do not fully understand your question. But it >> has been >> a long and busy day today ;) Could you try to describe in two or three >> sentences what you actually want to achieve? > > I think that what is is wanting to dois to create a custom output format > that just contains the IP address (which would be something along the > lines of a regex to match "\[([0-9.]+)\]" and log the output to a fifo > for another script to handle. > > that script would have to modify the iptables rule and schedule for the > rule to be removed 24 hours later (I don't believe that iptables > supports an expiration time directly).
this example works for small tests i.e autp expire for 120 seconds rule iptables -I INPUT -p tcp --dport 25 -m state --state NEW -m recent --name SMTP --rcheck --seconds 120 -j REJECT --reject-with tcp-reset add ip i.e 127.0.0.1 echo +127.0.0.1 > /proc/net/xt_recent/SMTP delete echo -127.0.0.1 > /proc/net/xt_recent/SMTP SEC (simple event correltator) is > exactly the right type of tool for this type of work, just think through > what will happen if the system gets rebooted before the 24 hours is up. mailservers get rebooted very rare, anyway its not a problem here > > He then asks if rsyslog can do everything, rsyslog could execute a > command and pass it the IP address , but it doesn't have the ability to > schedule things for the future, so it's not the right tool for this job. ok understand rsyslog can filter this an do some action thats ok for me, any idea which it should look like in the conf ? > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
